ProviderManager dead loop with AuthenticationManagerBuilder、AuthenticationManagerDelegator

[yamingd]

Summary

trying spring cloud security oauth2, but found dead loop and finally caused stack overflow;

@Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

@Configuration
@EnableAuthorizationServer
public class OAuthServerConfiguration extends AuthorizationServerConfigurerAdapter {

    @Autowired
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    @Autowired
    private DataSource dataSource;

    @Autowired
    private BCryptPasswordEncoder passwordEncoder;


    /**
     * The OAuth2 tokens are defined in the datasource defined in the
     * <code>authenticationManager-server.yml</code> file stored in the Spring Cloud config
     * github repository.
     *
     * @return
     */
    @Bean
    public JdbcTokenStore tokenStore() {
        return new JdbcTokenStore(dataSource);
    }

    @Bean
    protected AuthorizationCodeServices authorizationCodeServices() {
        return new JdbcAuthorizationCodeServices(dataSource);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer)
            throws Exception {

        oauthServer.passwordEncoder(passwordEncoder)
                    .tokenKeyAccess("permitAll()")
                    .checkTokenAccess("isAuthenticated()")
                    .allowFormAuthenticationForClients();

    }

    /**
     * We set our authorization storage feature specifying that we would use the
     * JDBC store for token and authorization code storage.<br>
     * <br>
     *
     * We also attach the {@link AuthenticationManager} so that password grants
     * can be processed.
     */
    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
            throws Exception {

        endpoints.authorizationCodeServices(authorizationCodeServices())
                .authenticationManager(authenticationManager)
                .tokenStore(tokenStore())
                .approvalStoreDisabled()
                .allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST);
    }

    /**
     * Setup the client application which attempts to get access to user's
     * account after user permission.
     */
    @Override
    public void configure(ClientDetailsServiceConfigurer clients)
            throws Exception {

        clients.jdbc(dataSource)
                .passwordEncoder(passwordEncoder);
    }

}

[jgrandja]

@yamingd Can you please publish your code to a github repo so that I can check it out and reproduce the exact same problem you are having.
This would be the most effective method for me to troubleshoot.
Thank you.

[anand7719]

I am also having same issue,
Everything works fine if I don't user passwordEncoder, when I have it configured (BCryptPasswordEncoder), the DaoAuthenticationProvider is in endless loop, eventually causing stackoverflow.
Here is my observation,
first call goes thr DaoAuthenticationProvider.authenticate just fine, the Authorization header is removed as a result of success authentication. Then again the DaoAuthenticationProvider.authenticate is called and can not find Authorization header and it doesn't stop there, it keep going on a loop.
Here is my log snippet...

2017-05-16 15:27:30.563 DEBUG 19996 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Basic Authentication Authorization header found for user 'TEST'
2017-05-16 15:27:52.302 DEBUG 19996 --- [nio-8080-exec-4] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2017-05-16 15:28:35.414 DEBUG 19996 --- [nio-8080-exec-1] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2017-05-16 15:28:35.415 DEBUG 19996 --- [nio-8080-exec-1] .g.s.o.g.DemoGeodeClientDetailsService : Entering loadClientByClientId clientId=TEST
2017-05-16 15:28:35.415 DEBUG 19996 --- [nio-8080-exec-1] c.g.s.o.geode.GeodeClientDetailsHelper : Enterting getByClientId clientId=TEST
2017-05-16 15:28:35.423 TRACE 19996 --- [nio-8080-exec-1] .g.s.o.g.DemoGeodeClientDetailsService : clientDetails org.springframework.security.oauth2.provider.client.BaseClientDetails@bc69efc[clientId=TEST,clientSecret=$2a$10$VPm8.cZpo6QFBXFYl4AGmO2eREb0OHKQfVXvQ24iTe/kRBE2PhyRu,scope=[ADMIN, READ],resourceIds=[],authorizedGrantTypes=[client_credentials, service_ticket, refresh_token],registeredRedirectUris=,autoApproveScopes=,authorities=[READ, ADMIN],accessTokenValiditySeconds=7600,refreshTokenValiditySeconds=1000,additionalInformation={}]
2017-05-16 15:28:35.423 DEBUG 19996 --- [nio-8080-exec-1] .g.s.o.g.DemoGeodeClientDetailsService : Exiting loadClientByClientId clientId=TEST
2017-05-16 15:28:37.513 DEBUG 19996 --- [nio-8080-exec-1] o.s.s.a.dao.DaoAuthenticationProvider : Authentication failed: password does not match stored value
2017-05-16 15:28:41.533 DEBUG 19996 --- [nio-8080-exec-1] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2017-05-16 15:28:41.534 DEBUG 19996 --- [nio-8080-exec-1] .g.s.o.g.DemoGeodeClientDetailsService : Entering loadClientByClientId clientId=TEST
2017-05-16 15:28:41.534 DEBUG 19996 --- [nio-8080-exec-1] c.g.s.o.geode.GeodeClientDetailsHelper : Enterting getByClientId clientId=TEST
2017-05-16 15:28:41.537 TRACE 19996 --- [nio-8080-exec-1] .g.s.o.g.DemoGeodeClientDetailsService : clientDetails org.springframework.security.oauth2.provider.client.BaseClientDetails@4d4850a8[clientId=TEST,clientSecret=$2a$10$VPm8.cZpo6QFBXFYl4AGmO2eREb0OHKQfVXvQ24iTe/kRBE2PhyRu,scope=[ADMIN, READ],resourceIds=[],authorizedGrantTypes=[client_credentials, service_ticket, refresh_token],registeredRedirectUris=,autoApproveScopes=,authorities=[READ, ADMIN],accessTokenValiditySeconds=7600,refreshTokenValiditySeconds=1000,additionalInformation={}]
2017-05-16 15:28:41.538 DEBUG 19996 --- [nio-8080-exec-1] .g.s.o.g.DemoGeodeClientDetailsService : Exiting loadClientByClientId clientId=TEST

[anand7719]

@jgrandja @rwinch I have published my code @ https://github.com/anand7719/demoOAuth and invited both of to collaborate(not sure if there is a better way to share it), I think you both should have access once u accept the invitation. Let me know if you need additional details.

[jgrandja]

Thanks @anand7719. I will look into this and get back to you shortly.

[jgrandja]

Hi @anand7719 The root issue that is causing the infinite loop is this code in WebSecurityConfig:

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

Removing this override altogether will solve your infinite loop issue.

If you read the javadoc for public AuthenticationManager authenticationManagerBean() it states the following:

Override this method to expose the AuthenticationManager from configure(AuthenticationManagerBuilder) to be exposed as a Bean.

First issue is that you are not overriding configure(AuthenticationManagerBuilder) and hence not providing a custom configuration of AuthenticationManager. If you were providing a custom configuration then you may override authenticationManagerBean() to expose it as a Bean if you required it elsewhere in your application for injection.

The resulting effect of you overriding authenticationManagerBean() and exposing it as a Bean in the ApplicationContext causes it to be the parent or global AuthenticationManager. The parent AuthenticationManager is ultimately configured with a DaoAuthenticationProvider composed of your implementation of DemoGeodeClientDetailsService.

The AuthorizationServerConfigurer is also configured with the DemoGeodeClientDetailsService so when this AuthenticationManager is built it contains a DaoAuthenticationProvider composed of your DemoGeodeClientDetailsService and the parent AuthenticationManager is set as per above which also has the DemoGeodeClientDetailsService.

So when you make a request to /oauth/revoke, the DaoAuthenticationProvider (composed of DemoGeodeClientDetailsService) is invoked and errors out with the password check and then it delegates to the parent to attempt authentication which calls the DaoAuthenticationProvider (composed of DemoGeodeClientDetailsService) as well which errors out the same and is the start of the infinite loop. The bottom line is that your configuration is not correct.

The only place you need to configure your DemoGeodeClientDetailsService is in DemoAuthorizationConfigurer. This is OAuth specific so it belongs in AuthorizationServerConfigurerAdapter. Configurations within WebSecurityConfigurerAdapter should contain general and global security configuration only. Please remove the following from WebSecurityConfig.

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

	@Autowired
	private ClientDetailsService clientDetailsService;

http.userDetailsService(new ClientDetailsUserDetailsService(clientDetailsService));

I know it's a bit of a long explanation but I hope it makes sense?

[jgrandja]

Hi @yamingd please see this comment and let me know if this solves your issue.
If it doesn't, please publish your code to a github repo so I can get to the root of the issue.

[anand7719]

@jgrandja Thanks for providing the fix, it fixed my loop issue. However, it opened up another challenge(in fact the code I removed based on your recommendation was originally added to fix the issue now I facing).

After removing the recommend block of code, I get 403 on my revoke end point(I know revoke is not part of Spring implementation which is why I added the endpoint).

`2017-05-22 14:10:34.264 DEBUG 4548 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/oauth/revoke'; against '/api/oauth/revoke'
2017-05-22 14:10:34.264 DEBUG 4548 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /api/oauth/revoke; Attributes: [fullyAuthenticated]
2017-05-22 14:10:34.264 DEBUG 4548 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2017-05-22 14:10:34.265 DEBUG 4548 --- [nio-8080-exec-3] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@41dcc480, returned: -1
2017-05-22 14:10:34.275 DEBUG 4548 --- [nio-8080-exec-3] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point

org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-4.2.2.RELEASE.jar:4.2.2.RELEASE]`

You should see this if you run my Junit Test.

Basically, I wanted to secure "/api/oauth/revoke" api using the same AUTH provider which secures "/oauth/token". Is there a way to hook my revoke endpoint to Spring's Auth provider?

[anand7719]

One additional question,

I am supporting a new grant type "service_ticket", the clients send a service ticket and client id(no secret) and my custom granter validates the service ticket and grant a access token. Is there way to skip Spring provided Auth on /oauth/token if the grant type is "service_ticket"?

[anand7719]

I also noticed the following log after removed the recommended code block
`Eagerly initializing {webSecurityConfig=com.garmin.security.oauth.config.WebSecurityConfig$$EnhancerBySpringCGLIB$$5d1036f1@ec8f4b9}
2017-05-22 14:09:25.478 INFO 4548 --- [ main] b.a.s.AuthenticationManagerConfiguration :

Using default security password: 67705fdc-c3ba-439c-be29-118955303bab`

[jgrandja]

@anand7719 In order to secure your /api/oauth/revoke endpoint, add the following configuration to WebSecurityConfig:

// Add this original config back
	@Autowired
	private ClientDetailsService clientDetailsService;

// Add this new config
	@Autowired
	public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
		ClientDetailsUserDetailsService clientDetailsUserDetailsService = new ClientDetailsUserDetailsService(this.clientDetailsService);
		auth.userDetailsService(clientDetailsUserDetailsService).passwordEncoder(new BCryptPasswordEncoder());
	}

Your unit test OAuthClientCredentialTestIT should work now

[anand7719]

@jgrandja Until unless I am doing something wrong, the revoke still give 403, the unit test passes because my revoke call eating up exception because the test was to test getting token. If you look @ the server log, you will see the below.

2017-05-23 14:15:54.334 DEBUG 28056 --- [nio-8080-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /api/oauth/revoke; Attributes: [fullyAuthenticated]
2017-05-23 14:15:54.334 DEBUG 28056 --- [nio-8080-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2017-05-23 14:15:54.334 DEBUG 28056 --- [nio-8080-exec-5] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@15298bd9, returned: -1
2017-05-23 14:15:54.344 DEBUG 28056 --- [nio-8080-exec-5] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point

org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-4.2.2.RELEASE.jar:4.2.2.RELEASE]

[jgrandja]

@anand7719 I've attached a git patch file with the changes I made to get the test passing including the /api/oauth/revoke endpoint.

I'm going to close this issue as it's not a bug but related to misconfiguration.

Here are a couple of examples you can work from as well
https://github.com/jgrandja/messaging-sample
https://github.com/jgrandja/spring-security-oauth-sample

Also, the best place to have questions answered in a more timely manner is on Stack Overflow.

demoOAuth-patch.txt